As a former systems/network administrator for several large companies, it was my job to keep all the systems in the offices up and running while also maintaining a stable network. For anyone who knows these jobs, they aren't the easiest things in the world to do, especially alone; of course, in most instances I was stuck doing these jobs on my own with little to no support from the company hierarchy.

I am not the only one who has ever wound up in a situation like that, but for systems and network admins who have to tough this out alone, there is salvation. It's called tools.

A proper systems/networks administrator usually has his or her own toolset that helps keep everything running. Without these tools it would be very difficult to keep companies up and running 24/7.

One such tool that most systems/network admins have is a network analyzer. A network analyzer is a specialized hardware device or software in a desktop or laptop computer that captures packets transmitted in a network for routine inspection and problem detection. Also called a “sniffer,” “packet sniffer,” “packet analyzer,” “traffic analyzer,” and “protocol analyzer,” the network analyzer plugs into a port on a network hub or switch and decodes one or more protocols into a human-readable format for the network administrator. It can also store packets on disk for further analysis later on.

While there are all types of network analyzers, varying in cost, there is one low cost solution that does all a network analyzer needs plus more. That tool is Give Me Too from SpyArsenal.

Give Me Too is a packet sniffer, network analyzer, and network sniffer that plugs into computer networks and lets admins easily monitor any Internet and e-mail activity that occurs. Give Me Too captures all data transferred through the network via HTTP, FTP, SMTP, IMAP, POP3, and IRC. All data captured by Give Me Too is stored in a folder and organized in an easy to navigate way–the captured webpages and e-mail messages are sorted by protocol and computer or e-mail account).

If there are several network cards installed, Give Me Too can simultaneously intercept packets sent through all these cards–up to 9 network interfaces are supported.

Each interface can have individual settings.

Give Me Too also features a powerful filtering system that lets you capture specific information only. For example, admins can capture only data coming from a specific URL, data requested by a specific IP, or e-mails coming from a specific address.

The network analyzer can work in the command line mode and also features the ability to analyze tcpdump files produced by other sniffers. Give Me Too also has a powerful system of filters that can be applied to the captured data.

Installation and setup of Give Me Too is very straightforward. Run the executable file, install the application, and then click on the icon to enter the application.

I had no problems getting Give Me Too up and running on my home network. I was able to monitor all of the traffic from the 6 PCs that were operational. I was able to watch the downloads from Bit Torrent, the e-mail traffic, and all of the Web surfing. It was nice to have it all in front of me in a readable format. Also, it was nice to be able to monitor multiple network cards to see what was going on.

I forwarded a link to Give Me Too to a business associate of mine who runs a small Web hosting service, as it should help him isolate some of the network traffic issues he has been having of late. And since he is not an experienced network admin, this application should be right up his alley.

If any technical help is needed on Give Me Too, SpyArsenal's website offers online help, forums, and a feedback form for assistance.

Give Me Too is an easy to use and affordable solution for anyone who needs a solid network analyzer tool.

so wait …(2:45pm EST Thu Jul 15 2004)how does it work on a switch ? Unless you have a hub on each switch line and are simply monitoring that particular hub, I see no benefit with a switch unless of course you opt to have the switch act like a hub and forward each packet reguardless of the destination…..

Amy R. Zunk(3:10pm EST Thu Jul 15 2004)So true, so true. NWadmin was a good start to the whole tool set back in the 80's. Remember Cyberkit when it 1st came out. Lucent had a nice tool until they no longer made it public.The problem is that linux came along and brought with it a lot of unix stuff. So, when we started looking at these tools, we were looking at a different interface and tool set. By the time that STD, LAS, LS … distros came out, there were a dozen of this type of tools on the menu. And that is what we started using/learning.Sometimes we are allowed to spend upgrade dollars on tools, but all too often we use what's free. – by tech

Its called a Tagged Port(3:32pm EST Thu Jul 15 2004)Switches – by Bytches

cng(3:52pm EST Thu Jul 15 2004)i looked at their site. as far as i can tell, the program does not, and cannot, work over a switch. it's hard to see how any such software could work over a switch. as you say, the whole point of a switch is that it does not blindly forward packets to all destinations in the lan.

the website hints at this when it says “… this network sniffer … is absolutely invisible even to the users of your computer.”

the only way this could be useful in any medium or large office setting would be to set it up on a PC that was either acting as the internet proxy/firewall, or was “near” it, ethernet wise. and you still typically wouldn't intercept intranet bound packets.

i suppose you could install a copy on every user's machine…

p.s. most of the website's forum's posters have obscene names, and most of the replies are links to the product's marketing blurb.

– by dave jordan

amplification(4:06pm EST Thu Jul 15 2004)of course there are probably routers out there that can be configured to forward a copy of every packet to your ip address. but (hopefully) the sniffer software cannot mandate this. but, it is also unclear as to whether this particular sniffer package captures inbound packets at all.

i have only ever dealt with 3com low-end switches which are practically configurationless.

Bytches: can you elaborate on “tagged ports”? – by dave jordan

Switched Network sniffing(4:07pm EST Thu Jul 15 2004)I wrote a switched network sniffer as a college project a couple of months ago. There are a few ways to sniff traffic in a switched environment. The most common way is arp poisoning. You send fake arp packets with the IP of another machine on your network (the gateway is most useful) and your own MAC address. All packets destined for that IP will now be sent to you, which you can then save and/or modify before sending on to the real destination

Ettercap is a nice, free switch friendly sniffer.– by Mick

Good Managed Switches…(4:13pm EST Thu Jul 15 2004)

.. usually have a way of enabling a “promiscuous mode” which will dump traffic from all the other ports (or a choice of other ports) through a specific, reserved port.

For example, HP's ProCurve managed switches allow you to specify a “monitoring port” – this is where you plug in your analyzer/sniffer. Then you tell the switch which ports, range of ports, or VLANs (virtual LANs – isolated LAN segments that don't “talk” to each other, even through the same switch) you want to monitor.

Selective “hubbing,” if you will…

– by K. Adams

arp poisoning(4:17pm EST Thu Jul 15 2004)veddy eenteresting.

how do you know how often to repoison the a.r. table? – by dave

One Word(4:18pm EST Thu Jul 15 2004)Ethereal

– by Duh!

Mick: ARP Poisoning Monitoring Method?(4:19pm EST Thu Jul 15 2004)

I would guess that procedure only works on one side of a tightly configured firewall?

I mean, do you go as far as to make sure that IP packet sequence numbers and such are maintained?

Otherwise, how would you avoid detection?

Interesting idea, though. Hadn't thought of that one…

– by K. Adams

arp poisoning(4:27pm EST Thu Jul 15 2004)> how do you know how often to repoison the a.r. table?

Usually you send out another fake arp every few seconds. Most progs will let you set the delay. If you have a high delay you could miss some traffic if a real arp is sent during the interval. But a good sniffer will listen out for arp packets and fire off a fake arp as soon as it detects one. Real arps are broadcast to all hosts. – by Mick

ARP Poisoning Monitoring Method(4:49pm EST Thu Jul 15 2004)You don't have to worry about IP sequence numbers. When the packet comes in, you just change the MAC addresses on the ethernet frame, regenerate the CRC and send it off again. Other than the MAC address, it is an identical copy of the original packet. A firewall won't see anything wrong with it.

The only way to be detected is if someone is running a prog specifically designed to counter this attack. They listen to all arp packets and maintain their own arp table. Unlike the OS, if this prog sees that a IP-to-MAC mapping changes, it will warn you.– by Mick

other side of the coin(4:50pm EST Thu Jul 15 2004)how could i prevent an evil insider from poisoning my lan? – by dave

Try this(4:51pm EST Thu Jul 15 2004)If you are going to have to forward ports to a monitoring port anyways, may as well try ethereal first… I did this on an enterprise with several large Enterasys Matrix switches and it did the trick (just to get an “idea” of what kind of traffic was on the net). The files were very big however even for a 15 minute scan so be prepared…. – by Mankey

and so on for each host on your network. Not a problem if you've got a small LAN, but I wouldn't want to be stuck creating and maintaining 255 tables each with 255 entries – by Mick

hmm(5:33pm EST Thu Jul 15 2004)presumably some of the higher end routers can be told to ignore remote requests to change gateway ip address? – by dave

or rather(5:35pm EST Thu Jul 15 2004)to change the mac? – by dave

Ethereal!!!(5:55pm EST Thu Jul 15 2004)Great tool $0 COST! – by Deats

Pay for an analyzer?(6:47pm EST Thu Jul 15 2004)The SNMP utility that comes stock with windows does all of this. Any Admin should know that. For those that dont, control panel>add remove programs>add remove windows componants>Management and Monitoring tools.. – by PEBKAC Connoisseur

Bootable CD(8:07pm EST Thu Jul 15 2004)There are a number of free bootable CD images available, which contain lots of free powerful security tools. One good CD is the Network Security Toolkit at – by Eric

banner day at geek.com(10:27pm EST Thu Jul 15 2004)this has been most edumacationalfor me, the simple country geek.

thanks, all – by dave

How is this better than Linux ethereal?(10:10am EST Fri Jul 16 2004)Ethereal is the packet sniffer that comes with Linux. For those Window users and text challenged, there is a graphic version of Ethereal. Ethereal has a lot of network protocols that are not included in many commerical protocol sniffers like many wireless protocols.

ex: You are a real goof. You can alway get a spare older computer which can't Windows XP and have it run Ethereal. We have a low end computer devoted to packet sniffing with two ethernet ports in the network lab. – by Use free ethereal

Zealots(10:17am EST Fri Jul 16 2004)As much good information as some people may have about a certain subject, I have trouble listening to them when they have a biased opinion. I dont understand why everything has to be Linux vs. Windows. Both have thier places. – by PEBKAC Connoisseur

How is this better than Linux ethereal?(10:43am EST Fri Jul 16 2004)No bias, it comes from experience using Ethereal which comes standard with Linux.

From my man page of Ethereal

Ethereal is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved cap- ture file. Ethereal's native capture file format is libpcap format, which is also the format used by tcpdump and various other tools. In addition, Ethereal can read capture files from snoop and atmsnoop, Shomiti/Finisar Surveyor captures, Novell LANalyzer captures, Network General/Network Associates DOS-based Sniffer (compressed or uncom- pressed) captures, Microsoft Network Monitor captures, files from AIX's iptrace, Cinco Networks NetXRay captures, captures from Network Asso- ciates Windows-based Sniffer, AG Group/WildPackets EtherPeek/Token- Peek/AiroPeek/EtherHelp captures, captures from RADCOM's WAN/LAN ana- lyzer, Lucent/Ascend router debug output, files from HP-UX's nettl, the dump output from Toshiba's ISDN routers, the output from i4btrace from the ISDN4BSD project, the output in IPLog format from the Cisco Secure Intrusion Detection System, pppd logs (pppdump format), the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities, the text output from the DBS Etherwatch VMS utility, traffic capture files from Visual Networks' Visual UpTime, the output from CoSine L2 debug, the output from Accel- lent's 5Views LAN agents, captures in Endace Measurement Systems' ERF format, Linux Bluez Bluetooth stack hcidump -w traces, captures from Network Instruments Observer version 9, and traces from the EyeSDN USB S0. There is no need to tell Ethereal what type of file you are read- ing it will determine the file type by itself. Ethereal is also capa- ble of reading any of these file formats if they are compressed using gzip. Ethereal recognizes this directly from the file the '.gz' extension is not required for this purpose. – by Use free ethereal

Re: ex(7:22pm EST Fri Jul 16 2004)“Unless you don't have any Linux systems, goof – by ex”You are the real goof ex.You can boot off Knoppix Live CD and run ethereal. – by Knoppix Linux user

Ethereal(9:27pm EST Fri Jul 16 2004)Ethereal has versions for Windows and Linux, so you can choose. And of course, there are the many free bootable Linux CD's we've already mentioned.

– – by Eric

Top bandwidth consumer(2:42pm EST Mon Jul 19 2004)Does any one know of a realtime Top Bandwidth consumer tool? I know how to do it with packet sniffers but I want something that I can leave running all the time, with alarms for anything over 90% usage for a duration of 5 minutes or more – by Trentn

RE: Trentn(5:31pm EST Tue Jul 20 2004)Try ntop –

– by chris

What are the best meds for PARANOIA!!!(10:06am EST Fri Jul 23 2004)I just have a simple home LAN. And, all I want is a secure system, but it looks like the number of effective hacks is infinite!!!

Let me be the first to say it out loud, this whole thread has made me even more paranoid than ever.

Is there a cure? Is it Prozac, praxil, or pizza? Is there a new age method for denial that works? Will I really need to have the knowledge of an Uberhacker just to protect my home LAN? – by generaly

RE: PARANOIA(6:59pm EST Wed Jul 28 2004)At the moment, you should be safe at home if you have the following, or similar, starting with the most important: